What Accountants Need to Know About GDPR

Privacy rights and regulations are like brussels sprouts – they’re good for you, but few people like them. It has been said that “big data is the new big brother,” and the regulators from the European Union in Brussels and their friends in the EU parliament have passed new regulations to protect personal privacy called the General Data Protection Regime (GDPR).

This new law changes how most personal information is handled in businesses– with significant fines for noncompliance. While you may view the series of feel good laws which seem to support the EU’s vision of a government for the regulators, by the regulators as bad, your business is subject to the regulations if you do business in Europe or if you do business with anyone who is a citizen of the EU, starting May 25, 2018.

What Does GDPR Require, Anyway?

GDPR is a significant new series of privacy regulations applicable to all companies who have a physical presence in the EU, those who store or process personal information of European citizens or residents, as well as companies who provide services to those companies. GDPR creates many new protections for EU citizens – regardless of their location, including the right to receive a copy of the data retained on them by an organization (upon request within 30 days), and mandatory data breach notification within 72 hours of discovery, with very few exceptions. (Contrast the 72-hour GDPR data breach notification to your own state law, which may not require reporting at all if the data is encrypted).

The third significant requirement is for each organization to name individuals inside or outside the company who are responsible for protecting the privacy of personal data, including the following:

Data controllers are executives who define how personal data is processed;

Data processors are internal managers or outside service providers who are responsible for processing personal data; and

Data protection officers are mandated compliance officers at large organizations which oversee data security strategy and GDPR compliance – similar to an internal audit function – and should report to executive level management.

A final significant new requirement granted under the statute is the controversial “right of erasure”, more commonly referred to as the “right to be forgotten.” This regulation has already been used to require Google to delete unfavorable images which were stored in its Google Street View service, and might, for example, allow data subjects to tell certain marketers to “forget” your data.

This provision appears to give data subjects the right to request and have data removed from your databases under most circumstances, including:

if the data is no longer necessary

if the subject objects to the private data being processed

if the subject withdraws consent for the organization to retain and process data, which can be done at any time.

How GDPR Affects US Companies and Accountants

Accountants should be particularly concerned about these regulations, as the private data needed to provide professional services to your clients with operations in the EU is covered by these regulations. For example, your client could agree to provide information about their business and its EU subsidiaries to you when you are in the EU, but you might be prohibited from accessing private information about their employees, customers, and vendors from outside of the EU.

What’s worse is that the law (and fine regimes), as written, appear to apply to the private data of any EU citizen – including those with dual citizenship living in the US, meaning that you may have a potential compliance problem with your existing US-based clients. Think of the complications for expatriate tax or international audit processes where an EU entity is involved.

You may not be able to legally provide the service without being subject to a GDPR fine. Consider also a company that would like to expand their business into the EU, or for that matter is doing business in the EU today, and you begin to understand that what happens in the EU will need to stay in the EU.

A significant risk to US companies who wish to do business with EU citizens is that they may not transfer data about EU subjects outside the EU. The regulations require companies outside the EU to modify its business practices in one of three major ways before they can do business with EU citizens and organizations.

A US company can enroll in a US Department of Commerce program (the US-EU Privacy Shield framework (www.privacyshield.gov)) and comply with its terms

The company can work with its EU privacy regulator to draft and submit Binding Corporate Rules and policies for regulatory approval. Once the approval process by the regulators is complete, the company will be listed on a registry of companies who have completed this process.

The company can include model contract provisions in all of its agreements with data controllers and data processors where the controllers and processors agree to provide safeguards to the personal information which are acceptable to EU regulators.

Without following one of these three protocols, anyone is prohibited from gathering, storing, or processing information on EU citizens from outside of the EU, and is subject to fines.

Penalties for Noncompliance

No regulation will be followed without penalties for scofflaws, and the EU is very comfortable at levying massive fines on large companies. A CNBC article from 2017 details some of the €8.472 B ($9.54B in USD) in fines from the EU Competition Commission between 2013 and 2017 against multinational corporations.

That total doesn’t include other epic charges, including a lawsuit by the EU against Ireland for its “failure to recover up to €13 billion ($15.4B) which the EU alleges that Ireland should have levied against Apple, as well as a € 997 million ($1.2B) fine charged to Qualcomm in January 2018 for alleged anticompetitive behavior.

Unfortunately, these eye-popping records for civil penalties are likely to fall in the near future with the new fines permitted for noncompliance under GDPR. Data controllers and data processors can expect penalties for failure to comply with GDPR of up to 2% of worldwide sales or €10 million, whichever is greater.

Organizations can also face fines of up to 4% of worldwide sales or up to €20 million, whichever is greater for violating the data privacy rights of EU citizens, failure to comply with an EU data supervisory authority, improper transfers of personal data, or noncompliance with basic processing principles.

Conclusion

While these new activities will create a new data protection bureaucracy in EU governments and organizations, they will also serve to make the EU a de-facto regulator of the internet worldwide. The prosecutorial discretion exercised by the unelected EU regulators will give the EU another new and interesting way to penalize businesses who fall into its crosshairs.

As Apple and Google have learned the hard way, the EU has used regulations in the past against large companies and levied billions of Euros in fines and other penalties. Whether your clients are self-employed or work with a major corporation, if they do business in the EU or have private data on any EU citizen, if they ignore these new requirements from Brussels they do so at their own peril.

About Brian Tankersley, CPA, CITP

Brian Tankersley CPA CITP is a technology consultant, educator, writer and serves as Director of Strategic Relationships for K2 Enterprises, where he works with vendors serving the industry to understand their existing and new offerings.